Downloaded binary execution
Once a script moves from retrieval into local process execution, the event should be treated as a materially higher-severity host compromise candidate.
Why it matters
- Execution changes scopeThe incident now involves live code on the endpoint, not just suspicious script text.
- Containment thresholdIsolation, malware analysis, and credential exposure review are usually justified sooner.
Next actions
- Preserve the payloadCapture the executable and its hash before remediation deletes it.
- Review child activityCheck process tree, outbound traffic, persistence creation, and secondary payload downloads.